cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1083
Views
5
Helpful
4
Replies

Site to site VPN not working between two 871 routers

jsandau
Level 1
Level 1

I have two 871 routers and I can't seem to get the site to site VPN working between them. When I do a site to site test connection I get this error: there is no response from peer 208.38.11.xx when I try to ping that ip address from the cisco I get no reply. My site and the peer site are on the same ISP and this isp has had problems in the past where two nodes on the same network couldn't communicate with each other. So before I spend two hours on hold with this isp I want to make sure that the prblem is not with the cisco configurations. Here are the running configs:

Host A:

Building configuration...

Current configuration : 3387 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname *HostA*

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$ePDD$ijslwDCnljz232ikk30PL/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

!

!

dot11 syslog

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.10.99

ip dhcp excluded-address 10.10.10.201 10.10.255.254

!

ip dhcp pool vlan1

   import all

   network 10.10.0.0 255.255.0.0

   default-router 10.10.10.1

   dns-server 207.229.52.2 205.233.109.40

!

!

ip cef

ip name-server 207.229.52.2

ip name-server 205.233.109.40

!

!

!

username *Username* privilege 15 password 0 *Password*

username operator privilege 7 secret 5 $1$rHHQ$prD8o7Nc75TKImW5cqMn6.

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisc0VPN address 208.38.11.xx

!

crypto isakmp client configuration group remote

key 1rr1can

pool SDM_POOL_1

acl 102

max-users 20

netmask 255.255.0.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group remote

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to208.38.11.xx

set peer 208.38.11.xx

set transform-set ESP-3DES-SHA1

match address 100

!

crypto ctcp port 10000

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ETH-WAN$$ES_WAN$

ip address 208.38.8.xx 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

ip address 10.10.10.1 255.255.0.0

ip nat inside

ip virtual-reassembly

!

ip local pool SDM_POOL_1 10.10.9.100 10.10.9.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.38.8.1

!

ip http server

no ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.0.0 0.0.255.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255

access-list 101 permit ip 10.10.0.0 0.0.255.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.10.0.0 0.0.255.255 any

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Host B:

Building configuration...

Current configuration : 7788 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *Host B*

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$SL.z$pj3WaB1WTxiLux46ltlMo/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2030943716

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2030943716

revocation-check none

rsakeypair TP-self-signed-2030943716

!

!

crypto pki certificate chain TP-self-signed-2030943716

certificate self-signed 01

30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303330 39343337 3136301E 170D3032 30333031 30303236

30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333039

34333731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B3B3 AEC18433 9EED6DD5 DEB4E878 3D683095 A0930694 2F85C58E 2784CB4A

E65E2B74 5F90EE1C 63FB0FA3 DA8BC41E 3C2674F6 134BD580 46528B30 D159CD1A

BED4059A 9B2C2A3C 8D77BA73 332F3F36 16D00FFE D3133C1E DE3E2A20 B4915EFE

15ACF77A 8C899ED3 3005D8C7 E8D94157 0DD3DA2E 4B2A407E 7B77606A BCC44F64

47610203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

551D1104 1D301B82 19436869 6E5F4879 64726F2E 796F7572 646F6D61 696E2E63

6F6D301F 0603551D 23041830 16801403 F11E4386 AE903ED8 2C5EABA2 B648B086

E2766530 1D060355 1D0E0416 041403F1 1E4386AE 903ED82C 5EABA2B6 48B086E2

7665300D 06092A86 4886F70D 01010405 00038181 007FFAA2 7ECE2321 87704128

A21B21D1 495B83AC 01FEE096 89DD6C99 8C403F1B B4367484 96F85C0A FAD6C105

41E065C0 0D8262B2 4B73F037 EDDA3CA2 2D6DA102 AADD40E3 3753B7BC 67175199

3B965188 73AC0665 3B8F6642 F4FD1FB0 500710C4 E79571A1 BF273411 0E856164

5B689A49 DC26BCC3 E63EE2C9 D2D3B50A BBFFD3FC 4C

              quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.12.0.1 10.12.0.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.12.0.0 255.255.255.0

   default-router 10.12.0.1

   dns-server 207.229.52.2 205.233.109.40

!

!

no ip bootp server

ip domain name yourdomain.com

ip name-server 207.229.52.2

ip name-server 205.223.109.40

!

!

!

username admin privilege 15 secret 5 $1$MNvU$1yVJSWWZrNNatJM4XJ8Bu/

username operator privilege 8 secret 5 $1$g2ae$PnY5XOrP1ieVux3oaGrrB1

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *key* address 208.38.8.xx

crypto isakmp key *key* address 70.65.185.xx

!

crypto isakmp client configuration group remote

key l3tm31n

pool SDM_POOL_2

acl 106

max-users 5

crypto isakmp profile ciscocp-ike-profile-1

   match identity group remote

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to208.38.8.223

set peer 208.38.8.xx

set transform-set ESP-3DES-SHA5

match address 105

!

crypto ctcp port 10000

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 208.38.11.xx 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.12.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.12.0.50 10.12.0.80

ip local pool SDM_POOL_2 10.12.1.50 10.12.1.70

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.38.11.1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.12.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 101 permit ip 10.12.0.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.12.0.0 0.0.0.255 10.10.8.0 0.0.3.255

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.12.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 106 remark CCP_ACL Category=4

access-list 106 permit ip 10.12.0.0 0.0.0.255 any

no cdp run

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

4 Replies 4

srikanth ath
Level 4
Level 4

Hello

before moving on to setting up VPN

A q

have you allowed ICMP communication  between two sites (Between Host A and Host B), can you make sure hosta reachable to hostb or vice versa.

Major thing is to rule out the ISP issue or communication issue between two sites,  if they are communicating (pingable). then try to set up VPN.

Your VPN configuration between two sites is perfect, i dont see any issue with the configuration, if still you have issues, let us know here.

please rate the useful posts.

thanks,

srikanth

I can ping both ip addresses from an outside source (a second ISP), but I can't ping Host B from Host A or vice versa, either through the cisco router or Windows command prompt. So that leads me to believe that I will need to call my ISP.

The problem was the ISP, I just got off the phone with them and they added a route on thier end and everything works now. Thanks for the help and confirming that the problem wasn't my configuration.

Please rate the helpfull posts, where others looking into this discussion know exactly what was the issue and how it got resolved.

Regards,

srikanth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: